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MEMORANDUM 


August 10, 1998 


From: 

TO: 


WCIS 



Subj: WRIGHT PATTERSON AIR FORCE BASE 
VICTIM; CITA - COMPUTER INTRUSION 
288-CI-NEW 


1. As requested * forwarded a request to the Fleet Intelligence 

Warfare Center (FlwCn^rovideall information relating to the following Russian 
ISPs: 

Cityline.ru 
Microdin.ru 
Sovam.com 
Orc.ru 
Demos.net 
Demos.su 

Additionally, the following passwords and tools/usemames were researched: 
Passwords: 




Tools/usemames: 



2. Attached are the results of a search of FTWC’s database. The FIWC will report any 
additional information pertinent to this tasking as it becomes available. 
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10 August 1998 


The following pages pertain to the Russian Internet addresses you provided. I have also included 
the incidents that we have seen from those sites. 


We don't have any information in our database on the passwords Utatf' ‘MlHtf ’ and 
nor do we have any information on the usernames VfcR” t _ 

Additionally, we have no information regarding the files that were stolen fronWright-Patterson 
APB. We don’t monitor the IRC, so I can’t answer the question regarding anyone bragging about 
this activity. Lastly, we don’t have enough information to determine if this hacking style is similar 
to other hacks. There's nothing in our database to indicate any similarities. 


Regarding the other known threats using x windows, the following is provided: 


There are three major areas to look at when talking about security concerns with a X-Windows 
system. The first is access control. The "xhost" command denys remote connectios to an x- 
server. An improper configured x-server would allow an unauthorized user to watch key strokes, 
grab copies of window on the local system, or even export displays onto themisconfigured box. 
The second concern is connections to the the x-server. In order to connect to the server to tell it 
to export x displays, a user must log into it via a shell {login, rsh, telnet, or ssh). Most protocols 
don't use encryption and the login could be sniffed. This would allow a hacker to use a valid 
account and use an X system for their own purposes. The last concern is buffer overruns. A 
hacker would exploit a bufferoverun by tasking the x-application with input it was not designed 
to handle. The user would then have shell access equivalent to the access the process was running 
at If the program was setuid to run as root for everybody, then the hacker has root access! All 
three of the concerns can be address and handled. The access control problem is simple. A 
command of "xhost denies anyone access. Then access can be granted for those that absolutely 
need it The unencrypted logging can be solved by using a securelogin method like secure shell. 
The buffer overruns are a bit harder to get a hold of. These type of exploits range from operation 
system to operating system. The system administrator of the network needs to know the different 
operating systems and check the vendor pages for alerts and paths on a routine basis. These 
precautions keep the security risks associated with this service under control. 


w(. 


I hope this information is useful and what y4>u need. Please let me know if there is anything elso I 
can do. 



Mi_Ko ity z;a ncxo turns VKonu; vokw; h^o-c^oc 
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Cityline xu 
Name: nal.cityline.ru 
Address:! 


inetnnm: i 
netname: CITYLINERU 

descr: Cityline offers dial-up and leased line access ta Internet 


deacr: for Moscow and StPeterburg regions, 
country: RU 
admin-c: AD705-RIPE 
tech-c: MB427-REPE 
status: ASSIGNED PA 



notify: Error! Bookmark not defined, 
mnt-by: CITYLINERU-MNT 
source: RIPE 


descr ^uyGn^nOTOTkup and leased line access to Internet 
descr: for Moscow and SLPeterburg regions, 
origin: AS8498 

notify: Error! Bookmark not defined, 
nmt-by: CITYLINERU-MNT 
source: RJPE 




person: ^ 
address: 
address: 
address: 
phone: 
fax-no: 

e-mail: Error! Bookmark not defined. 



nic-hdi: AD705-RIPB 

notify: Error! Bookmark not defined. 

source: RIPE 


person: 

address 

address: 

address 

phone: 

e-mail: 



not defined* 


nic-hdl: MB427-RIPE 
source: RIPE 


i 



G> 
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microdin.ru (NAVCIRT Incident 98-5 of 6Jan98) 
Name: microdin.ru 
Addres&;| 


iiietnum: 



netname: MICRONET 
descr: MicroNet Ltd. 



diMcr: Requested network ip numbers will be used for connecting 

descr: to MAcomnet, 

country: RU 

admin-c: SB 1164-RIPE 

tech-c: DV86-RIPE 

status: ASSIGNED PA 


notify: Error! Bookmark not defined, 
source: RIPE 


route: j ~J 

descr: MicSnetLta; 
descr: 18 Novozavodsk&yast 
descr: Moscow Russia 121309 
origin: AS8470 

notify: Error! Bookmark not defined, 
notify: Error! Bookmark not daflwf d. 
mnt-by: MACOMNET-MNT 
source: RIPE 


person: I 
address: MicroNet Ltd. 


address: 18. Novozavodskayast 

address: 121309, Moscow, Russia 

phone:+7 095 145-9520 

phone: +7 095 145-9522 

phone: +7 095 142-0618 

fax-no: +7 095 924-0464 

e-mail: Error! Bookmark not defined. 

nic-hdl: SB 1164-RIPE 

source: RIPE 



person; I 
address:^ 
address:; 
address; 
phone:i 
e-mail: 
nic-hdl: DV86-R1PE 
source: RIPE 


not defined. 
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sovam.com 

sovam.com preference a 200. mail exchanger = relay2.sovam.com 
sovam.com preference a 100, mail exchanger a relayl.sovam.com 
sovam.com nameaerver = na2.sovam.com 
sovam.com nameaerver = nic.near.net 
sovam.com nameaerver = pandora.af.ca.ua 
sovam.com nameaerver ■ na.sovam.com 
relay2.sovam.com internet address 
relayl.sovam.cominternet address 
nK2.sovam.com internet address 
nic.near.net internet address 
pandora.sf.ca.ua internet address 
nK.sovam.com internet address 
[rs.intemic.net] 

Registrant: 

Sovam Teleport (SOVAM-DOM) 

2A Nezhdanova st 
Moscow, Russia 109003 
RU 


W 


Domain Name: SOVAM.COM 

Administrative Contact: 

(KA41) Error I Bookmark not defined. 


Technical Contact, Zone Contact: 

Semenyuk, Igor (IS 13) Error! Bookmark not defined. 


Record last updated on 19-Mar-98. 

Record created on 22-Jan-93. 

Database last updated on 6-Aug-98 04:06:34 EDT. 

Domain servers in listed order: 


NS.SOVAM.COM 
NS2.S0VAM.C0 
N1C.NEAR.NET 




instnum:^ 

n 

desen Sovam Teleport 
deacr. Moscow, Russia 
country: RU 
adrain-c: AK57-RIPE 
tech-c: IS 13 
rev-srv: nsjovam.com 
rev-srv: ru2.sovam.com 
rev-srv: nic.near.net 
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jtoius; ASSIGNED PA 
notify: Errorl Bookmark not defined, 
mnt-by: AS3216-MNT 
source: RIPE 
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dwcr Demos Plus Co. Ltd. 
descr: Moscow, Russia 
country: RU 
adrain-c: PA75 
tech-c: ED12-RIPE 
tech-c: OB90-RIPB 
tech-c: GK41-RIPE 


nuit-by: AS2578-MNT 
source: RIPE 

routeAHHHW 

deicr 

origin: AS2578 
notify: Error! Bookmark not defined, 
mnt-by: AS2578-MNT 
source: RIPE 



person: 

address: DeraoftpBtud. 

address: Ovchinnikovskaya nab. 6/1 

address: Moscow 113035 

address: Russia 

phone: +7095 9566233 

phone: +7 095 9566234 

fax-no:+7 095 9565042 

e-mail: Error! Bookmark not defined. 

nic-hdl: PA75 

source: RIPE 




person: ~ ■/ 

address^emo^oinpatty Ltd. 

address; 6-1 Ovchinnikovskaya nab. 

address: Moscow 113035 

address: Russia 

phone: +7 095 956 6233 

phone: +7 093 956 6234 

fax-no:+7 095 233 5016 

e-mail: Error! Bookmark not defined. 

nic-hdl: ED12-RIPE 

notify: Error! Bookmark not defined. 

source; RIPE 
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P.2 



dcmoa.au 

demos.su preference * 100, mail exchanger a relaylderao8.su 
demos.su preference a 50, mail exchanger = relayl.demos.su 
demos.su name server a ns.demos.su 
dcmos.su name server = nsl .demos Jiei 
dcraos.su nameserver a ns.usar.eu.net ' 
relay2.demos.su internet address 
rclaylulemos.su internet address 
na.dem 09 .su internet address 
na.demos.su internet address 
nsi.demos.net internet address' 
na.ussr.eu.net internet addresB 





% Rights restricted by copyright See Error 1 Bookmark not defined. 


netname: Ku-BEmoS- 970415 
dnscr: PROVIDER 
descr; Demos Company Ltd. 
country: RU 
admin-c: ED11RIPE 
admin-c: AAP1-RIPE 
tech-c: SL6-RIPE 
tech-c: OB36-RIPE 
status: ALLOCATED PA 
mnt-by: RIPB-NCC-HM-MNT 
source: RIPE 


origin: AS2578 

notify: Error! Bookmark not defined, 
mnt-by: AS2578-MNT 
source: RIPE 





address: Demos Company Ltd. 

address: 6-1 Ovchinnikovskaya nab. 

address: Moscow 113035 

address: Russia 

phone: +7 095 956 6233 

phone: +7 095 956 6234 

fax-no: +7 095 233 5016 

e-mail: Error! Bookmark not defined. 

nic-hdl: ED12-RJPE 

notify; Error! Bookmark not de fined. 

source; RIPE 
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person: 

address: Kusiiin Institute tor Public Networks 

address: 1, Kurchatov gq 

address: Moscow 

address: Russia 

phone: +7 095 1967278 

fax-no: +7 095 1964984 

e-mail: Error! Bookmark not defined. 

nic-hdl: AAP1-RIPE 

remarks: Admin contact for SU domain 

remarks: xSU/RU NIC contact 

source: RIPE 




blic Networks 


person: 
address! 
address: 1 Kurchatov square ' 
address: 123182 Moscow 
address: Russia 
phone:+7 095 196 7363 
fax-no:+7 095 196 4984 
e-mail: Error! Bookmark not defined, 
nic-hdl: SL6-RIPE 
source: RIPE 


V»0» 


person;' ~ ~ ' ' J 

address: Russian Institute for Public Networks 

address: 1 Kurchatov square 

address: 123182 Moscow 

address: Russia 

phone:+7 095 192 7933 

fax-no:+7 095 946 9841 

e-mail: Error! Bookmark not defined. 

nic-hdl: OB36-RIPE 

notify: Error] Bookmark not defined. 

source: RIPE 
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microdin.ru 


sovam.com 



orc.ru 

no hiu on old database (to mid Jul 1998) 
demos.net 





demos.su 

no hits on old database (to mid Jul 1998) 




